Hi Pablo, I find the xt_connlimit could not get the accurate conn count with heavy traffic on multiple cores platform. For example, I create one rule as following: iptables -t raw -A PREROUTING -s 192.168.3.88 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j DROP I use the Thunder (one P2P download tool) to test. As a result, the total conn count of 192.168.3.88 could reach the 300+. Then I make some steps to fix it and the conn count only reach the 100 ~ 120 at most. I planed to commit one patch, but I think the already-closed conn is not counted by current xt_connlimit. (Even though the already-closed conn is counted, the current xt_connlimit still could not get the accurate count. There are other changes to enhance it.). So is it necessary to get the very accurate count for xt_connlimit? If so, why don't count the already-closed conn? If not, my patch is necessary. Best Regards Feng -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
